b"          National Science Foundation \t \xef\x82\xb7   4201 Wilson Boulevard     \xef\x82\xb7   Arlington, Virginia 22230\n                                        Office of Inspector General\n\n\nDATE:             February 18, 2014\n\nTO:               Dr. Cora Marrett,\n                  Director (Acting), National Science Foundation\n\nFROM:             Dr. Brett M. Baker\n                  Assistant Inspector General for Audit\n\nSUBJECT: \t Federal Information Security Management Act FY 2013 Independent Evaluation\n           Report, Report Number 14-2-003\n\nThis memorandum transmits CliftonLarsonAllen LLP\xe2\x80\x99s (CLA) Federal Information Security\nManagement Act of 2002 (FISMA) FY 2013 Independent Evaluation Report. In accordance\nwith Office of Management and Budget (OMB) Memorandum M-14-04, FY 2013 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, we previously provided the Inspector General Section of NSF\xe2\x80\x99s FY 2013 FISMA\nReport, which was submitted through the OMB automated reporting tool on December 2, 2013.\n\nCliftonLarsonAllen\xe2\x80\x99s Independent Evaluation Report includes eight new findings as follows:\n\n      \xef\x82\xb7    USAP needs to improve controls over policies and procedures.\n      \xef\x82\xb7    USAP needs to improve configuration management controls.\n      \xef\x82\xb7    USAP needs to complete MOUs/ISAs General Support System Local-Area Network\n           (GSS LAN) and Enterprise Business System (EBS) interconnections.\n      \xef\x82\xb7    USAP needs to improve timeliness of system remediation based on scan results.\n      \xef\x82\xb7    USAP needs to improve account management controls.\n      \xef\x82\xb7    USAP needs to improve assessment and authorization controls.\n      \xef\x82\xb7    NSF Security Assessment Reports (SARs) need to identify consistently all assessed\n           risks.\n      \xef\x82\xb7    NSF needs to address weaknesses in role-based IT security awareness and training.\n\nThe report also includes 11 previous findings, as follows:\n\n   \xef\x82\xb7      The USAP \xe2\x80\x9cAdvanced Revelation\xe2\x80\x9d suite of applications needs to be replaced.\n   \xef\x82\xb7      USAP needs to develop, document, and implement a disaster recovery plan for its\n          Antarctica Operations at its Denver data center.\n   \xef\x82\xb7      NSF needs to remove timely the information technology accounts for separated\n          employees and contractors.\n   \xef\x82\xb7      USAP needs to review its System Security Plan for consistency with NIST requirements.\n   \xef\x82\xb7      USAP needs to enforce NSF\xe2\x80\x99s password and account management policies at USAP.\n\x0c      \xef\x82\xb7   NSF needs to address weaknesses in its IT accreditation packages.\n      \xef\x82\xb7   NSF needs to address weaknesses in its IT identification and authorization controls.\n      \xef\x82\xb7   NSF needs to address weaknesses in its IT configuration management controls over\n          baseline conformance.\n      \xef\x82\xb7   NSF needs to address weaknesses in its IT configuration management controls over\n          ACM$ Change Management.\n      \xef\x82\xb7   NSF needs to address weaknesses in the NSF and USAP Incident Response program.\n      \xef\x82\xb7   NSF needs to improve controls over IT account management.\n\nPlease note that this year\xe2\x80\x99s Independent Evaluation Report includes summarized versions of\nfindings reported in a separate IT Management Letter (dated December 12, 2013) prepared in\nconjunction with CLA\xe2\x80\x99s audit of NSF\xe2\x80\x99s FY 2013 financial statements, and being transmitted\nunder separate cover. CLA considers the management letter findings relevant to the FISMA\nreport since the specific conditions identified for NSF\xe2\x80\x99s financial systems are also covered by\nFISMA.\n\nThe Independent Evaluation was performed in conjunction with the annual audit of NSF\xe2\x80\x99s\nfinancial statements. A draft of the Independent Evaluation Report was previously submitted to\nyour staff and their comments were considered in preparing this final report.\n\nIn accordance with OMB Circular A-50, on Audit Follow-Up, we request that NSF submit a\nwritten corrective action plan to our office within 60 days of the date of this memorandum to\naddress the recommendations in the Independent Evaluation. This corrective action plan should\nidentify specific actions your office has taken or plans to take to address each recommendation\nalong with the associated milestone date. We are available to work with your staff to ensure the\nsubmission of a mutually agreeable corrective action plan.\n\nWe appreciate the courtesies and cooperation extended to CliftonLarsonAllen LLP during the\nevaluation. If you or your staff has any questions, please contact Tom Moschetto, Director,\nFinancial and IT Audits at (703) 292-7398, or me at (703) 292-2985.\n\n\nAttachment\n\ncc:       Dan Arvizu, Chair, National Science Board\n          G.P. Peterson, Chair, Audit and Oversight Committee \n\n          Kathryn Sullivan, Senior Advisor, OD \n\n          Eugene Hubbard, Director, OIRM \n\n          Amy Northcutt, Chief Information Officer \n\n          Roger Wakimoto, Assistant Director, GEO \n\n          Kelly K. Falkner, Director, PLR \n\n          Martha Rubenstein, Director and CFO, BFA \n\n          Susanne LaFratta, Senior Advisor, PLR \n\n\x0c           NATIONAL SCIENCE FOUNDATION\n\n\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)\n\n\n\n        2013 INDEPENDENT EVALUATION REPORT\n\n\n\n\n                  December 12, 2013\n\x0c                                                                      CliftonLarsonAllen LLP\n                                                                      www.claconnect.com\n\n\n\n\nMs. Allison Lerner\nInspector General\nNational Science Foundation\n4201 Wilson Boulevard\nArlington, Virginia 22230\n\nDear Ms. Lerner:\n\nWe are pleased to provide the FY 2013 FISMA Independent Evaluation Report. The report\ndetails the results of our review of National Science Foundation (NSF)'s information security\nprogram. FISMA requires Inspectors General to conduct annual evaluations of their\nagency\xe2\x80\x99s security programs and practices, and to report to OMB on the results of their\nevaluations. The Office of Management and Budget (OMB) Memorandum M-14-04 (\xe2\x80\x9cFY\n2013 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management\xe2\x80\x9d) provides this year\xe2\x80\x99s instructions for meeting the FISMA\nreporting requirements.\n\nWe separately provided the Fiscal Year (FY) 2013 Office of Inspector General (OIG) response\nto Memorandum M-14-04, based on our independent evaluation as of September 30, 2013 and\nsubsequent review through the date of the report of documentation supporting the security\nprogram performance statistics reported by NSF management, and review of the Foundation\xe2\x80\x99s\nPlans of Action and Milestones (POA&Ms). In preparing our responses, we collaborated closely\nwith NSF management and appreciate their cooperation throughout this effort.\n\nWe conducted this performance audit in accordance with Generally Accepted Government\nAuditing Standards (GAGAS). Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\nNSF management has provided us with a response to this 2013 FISMA Independent Evaluation\nReport, which is presented in Exhibit A. We did not audit management\xe2\x80\x99s response and,\naccordingly, do not provide any conclusion on it.\n\nThis report is issued for the restricted use of the Office of Inspector General, the management of\nNSF, the National Science Board and its Audit & Oversight Committee, and the Office of\nManagement and Budget, and is marked Sensitive But Unclassified.\n\nWe appreciate the opportunity to assist your office with these reports. Should you have any\nquestions, please call George Fallon at (301) 931-2050.\n\n\n\na\nCalverton, Maryland\n\n\nDecember 12, 2013 \n\n\n\n                                                i\n\x0c                                                     TABLE OF CONTENTS\n\n\n\n                                                                                                                                      Page\n\n\nTRANSMITTAL LETTER ....................................................................................................... i\n\n\nI.    EXECUTIVE SUMMARY ................................................................................................ 2\n\n\nII.   BACKGROUND.................................................................................................................... 3\n\n\n\nIII. OBJECTIVES ........................................................................................................................... 4\n\n\n\nIV. SCOPE AND METHODOLOGY .............................................................................................. 4\n\n\n\nV.    DETAILS OF RESULTS .......................................................................................................... 5\n\n\n                A. Prior Year Results .................................................................................................... 5 \n\n\n                B. Current Year Results ............................................................................................... 6 \n\n\nVI. FINDINGS AND RECOMMENDATIONS ............................................................................... 7\n\n\n\nVII. OTHER INFORMATION COMMUNICATED TO MANAGEMENT ................................ 21\n\n\n\nVIII. EXHIBIT A \xe2\x80\x93 AGENCY COMMENTS ........................................................................... 22\n\n\n\n\n\n\n                                                                      1\n\n\n\x0cI.    EXECUTIVE SUMMARY            \n\nTitle III of the E-Government Act (Public Law No. 104-347), also called the Federal Information\nSecurity Management Act (FISMA), requires agencies to adopt a risk-based, life cycle approach\nto improving computer security that includes annual security program reviews, independent\nevaluations by Inspectors General (IG), and reporting to the Office of Management and Budget\n(OMB) and the Congress. It also codifies existing policies and security responsibilities outlined\nin the Computer Security Act of 1987 and the Clinger-Cohen Act of 1996.\n\nBased on the results of our Fiscal Year (FY) 2013 independent evaluation, we determined that\nthe National Science Foundation (NSF) has an established information security program and\nhas been proactive in reviewing security controls and identifying areas to strengthen this\nprogram.\n\nThe FY 2012 Independent Evaluation Report included eight findings \xe2\x80\x93 four of the findings were\nfrom FY 2010 and earlier, and three of these remain open. Two of these three findings relate to\nNSF\xe2\x80\x99s United States Antarctic Program (USAP) operating environment and disaster recovery\nplans. NSF continues to develop plans to correct these weaknesses now that the new Antarctic\nSupport Contractor has completed the transition to replace its predecessor. The remaining\nreissued prior year finding relates to the need for NSF to ensure prompt revocation of user\naccess upon termination. The finding related to the risks to security associated with NSF\xe2\x80\x99s\noverall network topology has been closed.\n\nThe other four findings in the FY 2012 report include two that have been closed related to patch\nmanagement and the need to include required elements in C&A documentation. The two that\nare being reissued as repeat findings, both for USAP, include the need to update System\nSecurity Plans to be consistent with National Institute of Standards and Technology (NIST)\nrequirements, and to enforce NSF password and account management policies more\nconsistently at USAP.\n\nWe are reporting eight new FISMA-related findings in FY 2013, six for USAP and two for NSF:\n\n     \xef\x82\xb7\t\t 13-01: USAP - Policies/procedures documentation (availability, completeness, accuracy)\n\n     \xef\x82\xb7\t\t 13-02: USAP - Configuration management (change management)\n\n     \xef\x82\xb7\t\t 13-03: USAP - Assessment and authorization (MOUs/ISAs)\n\n     \xef\x82\xb7\t\t 13-04: USAP - Risk assessment (scanning procedures)\n\n     \xef\x82\xb7\t\t 13-05: USAP - Access controls (account management)\n\n     \xef\x82\xb7\t\t 13-06: USAP - Assessment and authorization (risk understanding and acceptance)\n\n     \xef\x82\xb7\t\t 13-07: NSF - Assessment and authorization (Security Assessment Reports)\n\n     \xef\x82\xb7\t\t 13-08: NSF - Weaknesses in NSF Role-based IT Security Awareness and Training\n         (Note: Finding 13-08 is drawn from our Management Letter)\n\n\n\n\n                                               2\n\n\x0cII.   BACKGROUND\n\nNSF is an independent Agency established by the National Science Foundation Act of 1950 to\npromote the progress of science; to advance the national health, prosperity, and welfare; and to\nsecure the national defense. NSF is the funding source for approximately 20% of all federally\nsupported basic research conducted by America\xe2\x80\x99s colleges and universities. In many fields such\nas mathematics, computer science, and the social sciences, NSF is the major source of Federal\nfunding. NSF also funds national research centers, state-of-the-art research facilities, and\nUSAP.\n\nNSF does not operate its own laboratories or research facilities but rather acts as a catalyst\nproviding state-of-the-art tools and facilities and identifying the most capable people and\nallowing them to pursue innovation.\n\nOne of NSF\xe2\x80\x99s major programs is USAP. The Division of Polar Programs (part of the Directorate\nfor Geosciences, previously the Office of Polar Programs, or OPP) manages and initiates NSF\nfunding for basic research and operational support for USAP under a primary contract with\nLockheed Martin Corporation known as the Antarctic Support Contract (ASC). Operating under\nextreme environmental and logistical conditions in Antarctica creates special challenges for\neffective execution of USAP\xe2\x80\x99s mission supporting scientific research, requiring extensive global\nsupport and coordination of communications, personnel and supplies.\n\nNSF has become increasingly dependent on computerized information systems to execute its\nscientific research and operations and to process, maintain, and report essential information. As\na result, the reliability of computerized data and of the systems that process, maintain, and\nreport this data is a major priority for NSF. While the increase in computer interconnectivity has\nchanged the way the government does business, it has also increased the risk of loss and\nmisuse of information by unauthorized or malicious users. Protecting information systems\ncontinues to be one of the most important challenges facing government organizations today.\n\nThrough FISMA, the U.S. Congress showed its intention to enhance the management and\npromotion of electronic government services and processes. Its goals are to achieve more\nefficient government performance, increase access to government information, and increase\ncitizen participation in government. FISMA also provides a comprehensive framework for\nensuring the effectiveness of security controls over information resources that support federal\noperations and assets. It also codifies existing policies and security responsibilities outlined in\nthe Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nNSF operates an open and distributed computing environment to facilitate collaboration and\nknowledge sharing, and support its mission of promoting science, engineering research and\neducation. It faces the challenging task of maintaining this environment while protecting its\ncritical information assets against malicious use and intrusion.\n\nThe NSF Office of Inspector General (OIG) contracted with CLA to conduct NSF's FY 2013\nFISMA Independent Evaluation. We performed this evaluation in conjunction with our review of\ninformation security controls required as part of the annual financial statement audit issued on\nDecember 12, 2013.\n\n\n\n\n                                                3\n\n\x0cIII.    OBJECTIVES\n\n\nThe purposes of this evaluation were to assess the effectiveness of NSF's information security\nprogram and practices and to determine compliance with the requirements of FISMA and\nrelated information security policies, procedures, standards, and guidelines.\n\n\nIV.     SCOPE & METHODOLOGY\n\nTo perform our review of NSF's security program, we followed a work plan based on the\nfollowing guidance:\n\n       \xef\x82\xb7\t\t National Institute of Standards and Technology (NIST)\xe2\x80\x99s Special Publication (SP) 800-\n           53, Rev. 3, Recommended Security Controls for Federal Information Systems and\n           Organizations for specification of security controls;\n       \xef\x82\xb7\t\t NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to\n           Federal Information Systems: A Security Lifecycle Approach; and SP 800-53A Rev. 1,\n           Guide for Assessing the Security Controls in Federal Information Systems and\n           Organizations: Building Effective Security Assessment Plans for the assessment of\n           security control effectiveness;\n       \xef\x82\xb7\t\t Government Accountability Office (GAO)\xe2\x80\x99s Federal Information System Controls Audit\n           Manual (FISCAM: GAO-09-232G);\n       \xef\x82\xb7\t\t CliftonLarsonAllen\xe2\x80\x99s general controls review methodology. The combination of these\n           methodologies allowed us to meet the requirements of both FISMA and the Chief\n           Financial Officer (CFO)\xe2\x80\x99s Act.\n\nOur procedures included following-up on recommendations made in the FY 2012 Independent\nEvaluation Report; performing internal and external security reviews of NSF's information\ntechnology (IT) infrastructure; reviewing agency Plans of Action and Milestones (POA&Ms); and\nevaluating the following subset of NSF's major systems as part of our three-year rotation\nstrategy:\n\n       \xef\x82\xb7\t\t Core Financial System (FAS - Financial Accounting System) components:\n              o\t\t Standard General Ledger\n              o\t\t Budget Execution/Funds Management\n\n       \xef\x82\xb7\t\t Awards/Grants Management System:\n             o\t\t Electronic Jacket\n             o\t\t Research.gov (ACM$ module only)\n\n       \xef\x82\xb7\t\t Non-Financial & General Support Systems:\n              o\t\t NSF Network (LAN), general controls only (no Vulnerability Assessment with\n                  Penetration Testing)\n\n       \xef\x82\xb7\t\t United States Antarctic Program:\n              o\t\t USAP Enterprise Business System application (EBS)\n              o\t\t USAP Enterprise Network General Support System              (GSS),   including\n                  Vulnerability Assessment with Penetration Testing\n\n\n\n\n                                                 4\n\n\x0cWe performed procedures to test (1) NSF\xe2\x80\x99s implementation of an entity-wide security plan, and\n(2) operational and technical controls specific to each application such as service continuity,\nlogical access, and change controls. We also performed targeted tests of controls over financial\nand grant processing applications and processes. We performed our review from April 2013 to\nSeptember 30, 2013 at NSF's headquarters in Arlington, Virginia. Finally, we tested the USAP\nEBS and GSS in July 2013 in Denver, Colorado.\n\nNSF management and staff were very helpful and accommodating throughout this review and\nassisted us in refining the recommendations. This independent evaluation was prepared based\non information available as of September 30, 2013.\n\n\nV.   DETAILS OF RESULTS\n\n     A. Prior Year Results\n\n     The FY 2012 Independent Evaluation Report identified eight (8) findings, reported as other\n     weaknesses (i.e., not significant enough to be reported as a significant deficiency in\n     accordance with OMB classification guidelines). The following table summarizes the\n     findings reported in FY 2012 and their current status:\n\n                                                                             Current\n          (FY \xe2\x80\x93 Finding #)    Description                                    Year\n                                                                             Status\n                06-01          The USAP \xe2\x80\x9cAdvanced Revelation\xe2\x80\x9d suite of Reissued\n                               applications needs to be replaced.\n                06-02          USAP needs to develop, document and Reissued\n                               implement a Disaster Recovery Plan for its\n                               Antarctica operations.\n                10-04          NSF needs to remove timely the information Reissued\n                               technology (IT) accounts for separated\n                               employees and contractors.\n                10-05          NSF needs to improve security of its network Closed\n                               topology as the present design poses a\n                               potential security weakness.\n                12-01          NSF needs to improve its patch Closed\n                               management process for the timely\n                               resolution and mitigation of logical security\n                               vulnerabilities\n                12-02          NSF needs to correct the USAP C&A Closed\n                               documentation process to include required\n                               elements\n                12-03          USAP needs to review its System Security Reissued\n                               Plans     for    consistency    with   NIST\n                               requirements\n                12-04          USAP needs to enforce NSF\xe2\x80\x99s password and Reissued\n                               account management policies consistently\n\n\n\n\n                                               5\n\n\x0cB. Current Year Results\n\nThe following table summarizes both the reissued/repeat and new findings noted as of\nSeptember 30, 2013. Note that this year\xe2\x80\x99s Independent Evaluation Report includes\nsummarized versions of findings reported in a separate IT Management Letter (dated\nDecember 12, 2013) prepared in conjunction with the audit of NSF\xe2\x80\x99s FY 2013 financial\nstatements. We consider the management letter findings relevant to the FISMA report\nsince the specific conditions identified for NSF\xe2\x80\x99s financial systems are also covered by\nFISMA. Such findings carried forward from the IT management letter (identified as such\nusing the prefix \xe2\x80\x9cML\xe2\x80\x9d) are distinguished from other security program weaknesses affecting\nnon-financial systems discussed in this report. The status shown for IT ML findings also\ndiffers from that of FISMA-only findings in that they may appear as \xe2\x80\x9cRepeat\xe2\x80\x9d or Modified\nRepeat\xe2\x80\x9d:\n\n   (FY \xe2\x80\x93 Finding #)   Description                                Current Year Status\n         06-01        The USAP \xe2\x80\x9cAdvanced Revelation\xe2\x80\x9d suite       Reissued\n                      of applications needs to be replaced.\n         06-02        USAP needs to develop, document and        Reissued\n                      implement a Disaster Recovery Plan for\n                      its Antarctica operations.\n         10-04        NSF needs to remove timely the             Reissued\n                      information technology (IT) accounts for\n                      separated employees and contractors.\n         12-03        USAP needs to review its System            Reissued\n                      Security Plans for consistency with\n                      NIST requirements\n         12-04        USAP needs to enforce NSF\xe2\x80\x99s                Reissued\n                      password and account management\n                      policies consistently\n       ML-12-07       NSF needs to address weaknesses in         Repeat\n                      its IT accreditation packages\n       ML-12-09       NSF needs to address weaknesses in         Modified Repeat\n                      its IT identification and authorization\n                      controls\n       ML-12-10       NSF needs to address weaknesses in         Repeat\n                      its IT configuration management\n                      controls over baseline conformance\n       ML-12-11       NSF needs to address weaknesses in         Modified Repeat\n                      its IT configuration management\n                      controls      over     ACM$      Change\n                      Management\n       ML-12-12       NSF needs to address weaknesses in         Modified Repeat\n                      the NSF and USAP Incident Response\n                      program\n       ML-12-13       NSF needs to improve controls over IT      Repeat\n                      account management\n         13-01        USAP needs to improve controls over        New\n                      policies and procedures\n         13-02        USAP needs to improve configuration        New\n                      management controls\n\n\n\n                                         6\n\n\x0c         (FY \xe2\x80\x93 Finding #)    Description                              Current Year Status\n              13-03          USAP needs to complete MOUs/ISAs New\n                             General Support System Local-Area\n                             Network (GSS LAN) and Enterprise\n                             Business          System         (EBS)\n                             interconnections\n               13-04         USAP needs to improve timeliness of New\n                             system remediation based on scan\n                             results\n               13-05         USAP needs to improve account New\n                             management controls\n               13-06         USAP needs to improve assessment New\n                             and authorization controls\n               13-07         NSF Security Assessment Reports New\n                             (SARs) need to identify consistently all\n                             assessed risks\n             ML-13-08        NSF needs to address weaknesses in New\n                             role-based IT security awareness and\n                             training\n\nWe have discussed these comments and suggestions with agency personnel, and we will be\npleased to discuss them in further detail at your convenience. We will review the status of these\ncomments during our subsequent year\xe2\x80\x99s audit engagement.\n\n\nVI.   FINDINGS AND RECOMMENDATIONS\n\n06-01 The USAP \xe2\x80\x9cAdvanced Revelation\xe2\x80\x9d Suite of Applications Needs to be Replaced.\n(Re-Issued)\n\nOperational support of scientific research through the United States Antarctic Program (USAP)\nis the principal responsibility of the Division of Polar Programs (Polar, formerly the Office of\nPolar Programs) and its contractor, Lockheed Martin Antarctic Support Contract (ASC). Prior to\nthe award of a new support contract on April 1, 2012 Raytheon Polar Services Company\n(RPSC) was the main contractor. To provide this support, Polar depends on a complex array of\nnetwork systems and applications provided by the contractor, which are spread across nine\noperating sites.\n\nIn FY 2006, we reported that the Advanced Revelation application (AREV) was outdated and\nhad inherent security weaknesses. USAP uses Disk Operating System (DOS)-based AREV on\nMicrosoft Windows platforms (i.e., native DOS programs, as there is no Windows version) to\nprocess transactions on various applications including: (a) the Personnel Tracking System\n(PTS) that manages USAP business processes involving Personally Identifiable Information\n(PII), including hiring records, social security numbers (SSNs), and medical processing\nchecklists; (b) Cargo Tracking System (CTS) for tracking inventory to and from Antarctica; (c)\nMAPCON, which provides inventory management and equipment-maintenance records; and (d)\nPower 1000, a procurement and receiving subsystem.\n\nAREV was developed using a programming language that is now outdated, and is becoming\nincreasingly difficult to interface with newer systems and platforms. Revelation Software has\n\n\n\n                                               7\n\n\x0cceased development and maintenance of AREV. As a result, AREV is difficult to maintain and\nmay not function with newer technologies, which may reduce efficiency in NSF carrying out its\nmission.\n\nSecurity in this DOS-based environment is weak as users with access privileges on one\napplication in this suite can inappropriately or unnecessarily access several other applications.\nIn addition, continuity of operations cannot be ensured when confronted with forced hardware\nchanges and Local Area Network (LAN) operating system upgrades. Securing trained\npersonnel/vendors with the requisite expertise to support these antiquated systems will be\nincreasingly difficult.\n\nIn FY 2010, the Office of Polar Programs and USAP management analyzed the USAP\nproduction environment and risks regarding the operation of the AREV application. As a result,\nUSAP planned to work on replacing the AREV system by Q4 FY 2014.\n\nIn FY 2013, Polar is actively working with its new contractor, Lockheed Martin ASC, to\ndetermine the best strategy to replace AREV.\n\nRecommendations (06-01):\n\nWe recommend, as we have previously (since FY 2006) that:\n\n   \xef\x82\xb7\t\t NSF Division of Polar Programs replace the AREV suite of applications with a scalable,\n       vendor-supported database management system.\n\n\n06-02 USAP Needs to Develop, Document, and Implement a Disaster Recovery Plan for\nits Antarctica Operations. (Re-Issued)\n\nContingency planning and disaster recovery refers to measures to recover IT services following\nan emergency or system disruption. Interim measures may include 1) relocation of IT systems\nand operations to an alternate site, 2) recovery of IT functions using alternate equipment, and 3)\nperformance of IT functions using manual methods.\n\nIT systems are vulnerable to a variety of disruptions, ranging from mild (e.g., short-term power\noutage, disk drive failure) to severe (e.g., equipment destruction, fire) from a variety of sources\nsuch as natural disasters and terrorist actions. While many vulnerabilities may be minimized or\neliminated through technical, management, or operational solutions as part of the organization\xe2\x80\x99s\nrisk management effort, it is virtually impossible to completely eliminate all risks. Effective\ncontingency planning, execution, and testing are essential to mitigate the risk of system and\nservice unavailability.\n\nBeginning in FY 2006, we reported that:\n\n   \xef\x82\xb7\t\t USAP did not have alternate wide area network links or an alternate network security\n       perimeter location to continue mission network communications and general support\n       systems in case the Denver operating location becomes unavailable.\n   \xef\x82\xb7\t\t There was no alternate-site redundancy in key mission support information systems to\n       ensure failsafe recovery in the event of an extended interruption at the central Denver\n       data center.\n\n\n\n                                                8\n\n\x0cIn FY 2010, OPP management completed strategic planning to mitigate the potential risk of\ninterruption to USAP program operations.\n\nIn FY 2013, the Division of Polar Programs is working with its new contractor, Lockheed Martin,\nto determine the best strategy for contingency planning and disaster recovery. Implementation\nis to be determined.\n\nRecommendations (06-02)\n\nWe recommend, as we have previously (since FY 2006) that:\n\n   \xef\x82\xb7\t\t NSF Division of Polar Programs implement its initiative to create alternate network\n       connectivity in the event of an emergency. This connectivity should be in a geographic\n       area that is unlikely to be affected negatively by the same disaster event as the\n       organization\xe2\x80\x99s primary site. In making this decision, NSF should consider other USAP\n       operating locations already in use, in addition to established commercial providers of\n       alternative site services (colocation facilities, data center hosting facilities, restoration\n       network services, etc.).\n\n\n10-04 NSF needs to remove information technology (IT) accounts for separated\nemployees on a timely basis. (Re-Issued)\n\nWe noted the following weaknesses in National Science Foundation (NSF)\xe2\x80\x99s controls of\nseparated employees and contractors:\n\n   \xef\x82\xb7\t\t Exit Clearance Forms were not appropriately completed for 6 of the 25 employees that\n       we tested. Specifically, we noted the following:\n           o\t\t 3 of the Exit Forms were not signed by the Authorizing Official (AO) or the\n               Contract Office\xe2\x80\x99s Technical Representative (COTR).\n           o\t\t 3 of the forms were not completed within 2 business days of the employee's\n               termination date in accordance with NSF procedures.\n   \xef\x82\xb7 Identity Management system (IDM) help desk tickets were not opened within 2 business\n       days of the individual\xe2\x80\x99s termination date for 6 of the 25 individuals.\n\n\n   \xef\x82\xb7 There was one (1) terminated individual identified that still had eJacket access.\n\n\n\nNote: NSF formally closed the related POA&M on 7/1/2013. The above individuals terminated\nbefore that date; however, some of them did not have their exit clearance process completed\nuntil after July 1st, and the eJacket individual cited retained access after that date.\n\nRecommendations (10-04):\n\nWe recommend, as we have previously (since FY 2010) that:\n\n  \xef\x82\xb7 NSF strengthen controls to ensure that clearance forms are properly completed and\n    maintained for terminated employees and contractors.\n  \xef\x82\xb7 NSF ensure the system accounts of terminated users are deactivated timely.\n\n\n\n\n                                                9\n\n\x0c12-03 NSF needs to review USAP System Security Plans for consistency with NIST\nrequirements. (Re-Issued)\n\nWe noted the following weaknesses in the accreditation packages for the USAP Enterprise\nOperations System (EOS), the USAP General Support System (GSS) and the USAP Enterprise\nBusiness System (EBS):\n\nThe EOS System Security Plan (SSP) was not fully consistent with NIST SP 800-18 Rev. 1,\nGuide for Developing Security Plans for Federal Information Systems and SP 800-53 Rev.3\nrequirements. For example, we noted the following:\n        o\t\t The IA-5 control implementation did not address the server operating systems.\n        o\t\t Control enhancement AC-17(5) was not addressed in the control implementation.\n        o\t\t The CP-9(1) control implementation does not identify the organizationally defined\n            frequency for testing backup information to verify media reliability and information\n            integrity. The controls only state that Backup Exec tests media reliability at the\n            conclusion of any backup job but that does not address the control requirement.\n        o\t\t The RA-5 control implementation does not identify organizationally defined\n            response times for remediating vulnerabilities.\n\n   \xef\x82\xb7\t\t The USAP GSS System Security Plan (SSP) was not fully consistent with NIST SP 800-\n       18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems and SP\n       800-53 Rev.3 requirements. For example, we noted the following:\n        o\t\t The CP-9(1) control implementation does not identify the organizationally defined\n            frequency for testing backup information to verify media reliability and information\n            integrity. The controls only state that Backup Exec tests media reliability at the\n            conclusion of any backup job but that does not address the control requirement.\n        o\t\t The RA-5 control implementation does not identify organizationally defined\n            response times for remediating vulnerabilities.\n        o\t\t Some results from USAP Security Assessments documented in the Security\n            Assessment Management Review (SAMR) workbook were not incorporated into\n            the GSS System Security Plan. For example, the AU-1, MP-1, PS-1, PE-1, PS-1,\n            and AC-6 controls status state that the controls are satisfied; however, there are\n            weaknesses identified in the SAMR workbook for these controls.\n        o\t\t The GSS SSP indicates credentialed scans do not cover all devices since they are\n            limited to a sample of approximately 100 machines; however, USAP is actually\n            performing credentialed scans on all machines.\n\n   \xef\x82\xb7\t\t The USAP EBS System Security Plan (SSP) was not fully consistent with NIST SP 800-\n       18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems and SP\n       800-53 Rev.3 requirements. For example, we noted the following:\n        o\t\t The CP-9(1) control implementation does not identify the organizationally defined\n            frequency for testing backup information to verify media reliability and information\n            integrity. The controls only state that Backup Exec tests media reliability at the\n            conclusion of any backup job but that does not address the control requirement.\n        o\t\t The RA-5 control implementation does not identify organizationally defined\n            response times for remediating vulnerabilities.\n        o\t\t The IA-5 control enhancements and implementation states that passwords must be\n            a minimum of 12 alphanumeric characters and the system prevents reuse of the\n            previous 24 passwords; however, we found that the password length for POLAR\n            ICE was set to a minimum of 8 instead of 12 alphanumeric characters. Additionally,\n            POLAR ICE password history was set to remember 10 passwords instead of 24.\n\n\n                                              10 \n\n\x0c         o\t\t Interconnection Security Agreements (ISAs) have not been completed for the\n             interconnections with HealthLink and UTMB; however, the CA-3 control\n             implementation does not state that the ISAs are not in place.\n\nRecommendations (12-03)\n\nNIST SP 800-53 has been updated and Revision 4 was issued in April 2013. Federal agencies\nare expected to comply by April 2014. Our recommendations have been updated with this in\nmind.\n\nWe recommend that:\n\n  \xef\x82\xb7    NSF ensure the USAP EOS SSP is updated to be consistent with NIST SP 800-18 rev.1\n       and 800-53 rev.4 Requirements.\n  \xef\x82\xb7    NSF ensure the USAP GSS SSP is updated to be consistent with NIST SP 800-18 rev.1\n       and 800-53 rev.4 Requirements.\n  \xef\x82\xb7    NSF ensure the USAP EBS SSP is updated to be consistent with NIST SP 800-18 rev.1\n       and 800-53 rev.4 Requirements.\n\n\n12-04 NSF needs to enforce its password and account management policies at USAP.\n(Re-Issued)\n\nPassword settings for POLAR ICE were not consistent with NSF policy. Specifically, we noted\nthe following:\n\n   \xef\x82\xb7\t\t Password length was set to a minimum of 8 instead of 12 characters.\n   \xef\x82\xb7\t\t Password history was set to remember 10 instead of 24 passwords.\n\nRecommendations (12-04)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure the USAP POLAR ICE password settings are consistent with defined NSF\n       password standards\n\n\nML-12-07 (Repeat): Weaknesses in NSF IT Accreditation Packages\n\nWe noted the following weaknesses in the accreditation packages for NSF systems:\n\n   \xef\x82\xb7   The NSF Network System Security Plan (SSP) was not fully consistent with NIST SP\n       800-18 rev.1 and SP 800-53 rev.3 requirements.\n   \xef\x82\xb7   The Research.gov System Security Plan (SSP) was not fully consistent with NIST SP\n       800-18 rev.1 and SP 800-53 rev.3 requirements.\n   \xef\x82\xb7   The FAS System Security Plan (SSP) was not fully consistent with NIST SP 800-18\n       rev.1 and SP 800-53 rev.3 requirements.\n   \xef\x82\xb7   The eJacket System Security Plan (SSP) was not fully consistent with NIST SP 800-18\n       rev.1 and SP 800-53 rev.3 requirements.\n\n\n\n\n                                             11 \n\n\x0cNSF started a new streamlined certification and accreditation process (C&A), now Assessment\n& Authorization (A&A), in FY 2010. The new process was designed to have all the controls\ndocumented in the Cybersecurity Assessment and Management system (CSAM), and provide\nsummary documents to authorizing officials for approval. NSF staff first document all of the\ncontrols and security testing results in CSAM, and then pull the information into the security\nplans. When the information is not entered correctly into CSAM, or controls are not adequately\naddressed, then incomplete and inaccurate information is transferred over to the actual security\nplans, and may not be detected by plan reviewers, in turn negatively affecting the reliable review\nof documentation in CSAM.\n\nWeaknesses in A&A documentation increase the risk that appropriate security controls will not\nbe consistently applied. System resources may not be properly protected if risk is not properly\nassessed and documented. Thus, NSF is exposed to increased risk of data modification or\ndeletion. Unauthorized changes could occur undetected. If the information contained in the\nauthorization package (i.e., the security plan, and the security assessment report) are not\nappropriately updated, the authorizing official and the information system owner may not have\nan up-to-date status of the security state of the information system and authorizing officials may\nnot have all of the information necessary to make an informed risk based authorization decision.\n\nRecommendations (ML-12-07)\n\nNIST SP 800-53 has been updated and Revision 4 was issued in April, 2013. Federal agencies\nare expected to comply by April 2014. Our recommendations have been updated with this in\nmind.\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF enhance its review process to ensure the accuracy and completeness of its System\n       Security Plans (SSP).\n   \xef\x82\xb7   NSF update the NSF Network SSP to be consistent with NIST 800-18 rev.1 and 800-53\n       rev.4 requirements.\n   \xef\x82\xb7   NSF update the FAS SSP to be consistent with NIST 800-18 rev.1 and 800-53 rev.4\n       requirements.\n   \xef\x82\xb7   NSF update the Research.gov SSP to be consistent with NIST 800-18 rev.1 and 800-53\n       rev.4 requirements.\n   \xef\x82\xb7   NSF update the eJacket SSP to be consistent with NIST 800-18 rev.1 and 800-53 rev.4\n       requirements.\n\n\nML-12-09 (Modified Repeat): Weaknesses in NSF IT Identification and Authentication\nControls\n\nWe note the following weaknesses in NSF\xe2\x80\x99s identification and authentication controls for\ninformation systems:\n\n   \xef\x82\xb7   Lightweight Directory Access Protocol (LDAP) password settings were not consistent\n       with NSF policy.\n   \xef\x82\xb7   Password Settings for the Sybase database supporting FAS and eJacket were not\n       consistent with NSF policy.\n   \xef\x82\xb7   Research.gov Oracle database password settings were not consistent with NSF policy.\n\n\n                                               12 \n\n\x0c   \xef\x82\xb7\t\t Password Settings for the Sybase database supporting ACM$ were not consistent with\n       NSF policy.\n   \xef\x82\xb7\t\t During the prior year audit, CLA noted weaknesses in specific password and account\n       lockout settings for the Solaris operating system supporting Research.gov. As a part of\n       our current year audit process, CLA was notified by NSF that corrective actions were still\n       ongoing.\n\nNSF is in the process of updating its baseline configuration requirements for its databases and\noperating systems that include strong password controls. NSF plans to complete this process in\nFY 2014.\n\nWeaknesses in identification and authentication controls increase the risk that individuals may\nobtain unauthorized access to NSF systems; thus putting systems and data at risk of\nunauthorized disclosure, modification or destruction.\n\nRecommendations (ML-12-09)\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF ensure LDAP password settings are consistent with NSF password requirements.\n   \xef\x82\xb7   NSF ensure password settings for the Sybase database that support FAS and eJacket\n       are consistent with NSF password and account lockout requirements.\n   \xef\x82\xb7\t\t NSF ensure password settings for the research.gov Oracle and Sybase databases\n       (including ACM$, which is implemented as a module within Research.gov using Sybase)\n       and its supporting Solaris operating system are consistent with NSF password and\n       account lockout requirements.\n\n\nML-12-10 (Repeat): Weaknesses in NSF IT Configuration Management Controls \xe2\x80\x93\nBaseline Conformance\n\nWe noted the following weaknesses in NSF\xe2\x80\x99s configuration management controls:\n\n   \xef\x82\xb7   The production Sybase database that supports the FAS and eJacket applications was\n\n\n       not configured in accordance with the documented Sybase Configuration Checklists.\n\n\n   \xef\x82\xb7   The production Sybase database that supports the ACM$ module was not configured in\n\n\n       accordance with the documented Sybase Configuration Checklists.\n\nNSF is in the process of updating its baseline configuration requirements for its Sybase\ndatabases and implementing the baselines on its financial applications. NSF plans to complete\nthis process in FY 2014.\n\nWeaknesses in configuration management controls increase the risk that system components\nmay not have security settings consistently applied thus putting the information systems and\ndata at risk. NSF may be exposed to increased risk of data modification or deletion.\nUnauthorized changes could occur and go undetected.\n\nRecommendations (ML-12-10):\n\nWe recommend that:\n\n\n                                              13 \n\n\x0c   \xef\x82\xb7   NSF ensure the production Sybase database supporting the FAS and eJacket\n       applications is configured in accordance with the approved baseline and any deviations\n       are properly authorized and approved.\n   \xef\x82\xb7   NSF ensure the production Sybase database supporting the ACM$ module is configured\n       in accordance with the approved baseline and any deviations are properly authorized\n       and approved.\n\n\nML-12-11 (Modified repeat): Weaknesses in NSF IT Configuration Management Controls \xe2\x80\x93\nACM$ Change Management\n\nWe noted weaknesses in NSFs controls for managing configuration changes to ACM$.\n\nNSF\xe2\x80\x99s procedures to implement its change control policies are not adequate, which leads to\nincomplete documentation of the review and approval process for system changes. NSF uses\nClearQuest to document change requests. Approvals are not maintained in the NSF ClearQuest\nsystem. NSF informed us that detailed changes were entered into ClearQuest for pending\nchanges to be included in the upcoming release; however, there are no approvals performed at\nthis time. We were informed that a collection of application releases with the selected change\nrequests are reviewed in a single Readiness Review presentation. However, change requests\nshould be approved and scheduled before changes are developed and tested.\n\nWeaknesses in configuration management controls, including documentation of review and\napproval, increases the risk that unauthorized changes may be implemented without going\nthrough the appropriate change control process. Unapproved changes may adversely impact\nthe integrity and/or security of the application, which may lead to unauthorized transactions, or\nmodification or deletion of data.\n\nRecommendations (ML-12-11):\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF ensure change approvals are documented for all changes and that the approvals\n       clearly indicate which changes are being approved.\n   \xef\x82\xb7   NSF ensure all of the appropriate approval signatures are documented for each change.\n\nML-12-12 (Modified repeat): Weaknesses in NSF and USAP Incident Response\n\nThere were weaknesses in the procedures both NSF and USAP followed for handling incidents.\n\nAlthough NSF has documented its Computer Security Incident Response Plan and Procedures,\nthe requirements were not always followed. As a result, security incidents were not documented,\ntracked and reported in line with the NSF procedures. The NSF procedures centralize the\nincident response handling and reporting capability; however in practice, USAP has a level of\nflexibility in handling and reporting incidents that was not documented within the current NSF\nprocedures.\n\nWeaknesses in incident response controls increase the risk that incidents may not be reported\nor resolved within NSF\xe2\x80\x99s time frames, which may lead to unauthorized access to sensitive\n\n\n                                               14 \n\n\x0cinformation, and/or malicious modification or deletion of data or transactions. NSF may not be\nable to correlate current incidents to past incidents to identify trends or widespread attacks.\nAdditionally lessons learned may not be incorporated into the incident response process to\nenable management to improve the process.\n\nRecommendations (ML-12-12):\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF ensure all security incidents are consistently identified as such, and are\n       documented and tracked within its incident tracking system.\n   \xef\x82\xb7   NSF ensure all security incidents are categorized in line with the US CERT Incident\n       Categories.\n   \xef\x82\xb7   NSF ensure all applicable security incidents are reported to US CERT in a timely\n       manner.\n   \xef\x82\xb7   NSF ensure USAP incidents are handled in accordance with the centralized incident\n       handling process or formally document and implement alternative processes for USAP.\n\n\nML-12-13 (Repeat): Weaknesses in Account Management\n\nWe noted the following weaknesses in NSF\xe2\x80\x99s account management controls:\n\n   \xef\x82\xb7   NSF does not maintain documentation evidencing the authorization and approval of\n       eJacket access permissions.\n   \xef\x82\xb7   There are weaknesses in the NSF process for periodically recertifying access\n       permissions for the Sybase databases supporting its financial applications.\n   \xef\x82\xb7   FAS access permissions were not consistent with the access e-mails for one (1) of the\n       25 individuals tested.\n\nNSF\xe2\x80\x99s current process does not require Administrative Managers to maintain documentation\nevidencing approvals for granting eJacket access permissions. Also, the recertification process\nfor Sybase databases did not include sending out a list of a database accounts. Individuals\nrequesting FAS access permissions are not always aware of the access that they are\nrequesting; as a result, the system administrators sometimes interpret the intention of requests\nwhile granting access.\n\nWeakness in account management controls increases the risk that users may have\nunauthorized access to NSF systems and data.\n\nRecommendations (ML-12-13):\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF ensure authorization and approval of eJacket access permissions are documented\n       and maintained.\n   \xef\x82\xb7   NSF strengthen controls to ensure that access permissions for the FAS, eJacket, and/or\n       ACM$ Sybase databases are recertified periodically.\n   \xef\x82\xb7   NSF strengthen controls to ensure that the assigned access permissions for the FAS\n       users are consistent with the approval emails that requested the access.\n\n\n                                              15 \n\n\x0c   \xef\x82\xb7\t\t NSF ensure the individuals responsible for approving FAS access permissions are\n       aware of the meaning of the access permissions that they are requesting.\n   \xef\x82\xb7\t\t NSF ensure administrative Officers (AO) are trained on the various FAS job classes and\n       the actions that they allow an individual to perform. Additionally, system administrators\n       should not interpret unclear access requests, and should instead have the AO resubmit\n       an updated request after working with them to identify the specific access permissions\n       needed.\n\n\n13-01 USAP needs to improve controls over policies and procedures (New)\n\nWe noted weaknesses in USAP\xe2\x80\x99s controls over policies and procedures. Specifically,\n\n   \xef\x82\xb7\t\t Some USAP policies and procedures were not available for review when initially\n       requested, though the missing policies and procedures were eventually provided\n       (between 9/4/2013 and 9/6/2013) after we clarified the need to review documents\n       actually in place during the year vs. those that were being updated and undergoing\n       management review when initially requested in July 2013. Specifically, we noted the\n       following policies and procedures that were not received in time to allow for appropriate\n       testing:\n            o\t\t Systems and Communications Protection\n            o\t\t Systems and Information Integrity\n            o\t\t System and Services Acquisition\n            o\t\t System Maintenance\n            o\t\t Media Protection and Sanitization\n            o\t\t Policies and procedures for granting, removing and periodically reviewing Virtual\n                Private Network (VPN) access for the USAP General Support System Local Area\n                Network (GSS LAN)\n            o\t\t USAP Policies and procedures for reviewing and disabling inactive accounts.\n\n   \xef\x82\xb7\t\t There are weaknesses in the USAP Audit and Accountability Policies and Procedures.\n       Specifically, we noted the following:\n          o\t\t The USAP auditing policy and procedure documents are not finalized or\n               authorized, nor do they have documented management commitment\n          o\t\t USAP Security Auditing Policy does not facilitate implementation of all audit and\n               accountability controls, including establishing a policy requirement for audit\n               storage capacity and response to audit processing failures\n          o\t\t The audit and accountability procedure IT-A-9309 QSP-System Auditing has not\n               been reviewed/updated in accordance with the organizational defined frequency,\n               \xe2\x80\x9cannually\xe2\x80\x9d\n          o\t\t The list of events USAP information systems must be capable of auditing is not\n               based on a risk assessment. Additionally, the subset of auditable events defined\n               in AU-2 to be audited within the information system is not based on current threat\n               information and ongoing assessment of risk.\n          o\t\t The USAP policy does not define the frequency of auditing each identified event.\n\n   \xef\x82\xb7\t\t The NSF Information Security Handbook has conflicting requirements for session locks.\n       The Access Control Section of the document requires a session lock after 30 minutes of\n       inactivity while the Security Control Parameters section lists the requirement at 15\n       minutes.\n\n\n\n                                              16 \n\n\x0cRecommendations (13-01)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure USAP policies and procedures for key IT controls are accessible and readily\n       available.\n   \xef\x82\xb7\t\t NSF ensure USAP finalizes, approves, and implements Audit and Accountability Policies\n       and Procedures that adequately address risks in the USAP systems auditing\n       environment. The procedures should address controls such as audit storage capacity\n       and response to audit processing failures, list of auditable events based on risk\n       assessment, and frequency of auditing each identified event.\n   \xef\x82\xb7\t\t NSF update the Information Security Handbook to include the appropriate session lock\n       settings.\n\n\n13-02 USAP needs to improve configuration management controls (New)\n\nWe noted the following weaknesses in USAP\xe2\x80\x99s configuration management controls:\n\n   \xef\x82\xb7\t\t USAP does not test and validate some changes to the USAP GSS information system\n       before implementing the changes on the operational system.\n   \xef\x82\xb7\t\t USAP GSS system components (e.g., servers and networking devices with various\n       operating systems) were not consistent with their standard configurations and\n       unauthorized changes to configuration settings were not investigated.\n\nRecommendations (13-02)\n\nWe recommend that:\n\n   \xef\x82\xb7   USAP test and validate all GSS changes to the information system before implementing\n       the changes on the operational system.\n   \xef\x82\xb7   USAP ensure the GSS systems are configured in accordance with the approved\n       standard configurations and any deviations are properly investigated and approved.\n\n\n13-03 USAP needs to complete MOUs/ISAs General Support System Local-Area Network\n(GSS LAN) and Enterprise Business System (EBS) interconnections (New)\n\nUSAP has not completed the implementation of interconnection security agreements (ISA) and\nmemoranda of understanding (MOU) for all USAP General Support System Local-Area Network\n(GSS LAN) or Enterprise Business System (EBS) interconnections.\n\nRecommendations (13-03)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure ISAs and MOUs are documented for all external systems with\n       interconnections to the USAP GSS and EBS systems.\n\n\n\n\n                                            17 \n\n\x0c13-04 USAP needs to improve timeliness of system remediation based on scan results\n(New)\n\nWe noted the following weakness in USAP\xe2\x80\x99s vulnerability assessment controls:\n\n   \xef\x82\xb7\t\t Vulnerabilities noted from the scans of the USAP systems are not always remediated\n       timely. For instance the June 2013 USAP IT Security Management Report showed that\n       the corrective actions for resolving 85 moderate vulnerabilities were delayed. CLA scans\n       performed during July 2013 identified 7 hosts with addressable (exploitable)\n       vulnerabilities that could be addressed through timely patching.\n\nRecommendations (13-04)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure that vulnerabilities from the USAP scans are remediated within\n       organizationally defined time periods.\n   \xef\x82\xb7\t\t USAP consider modifying IS-SOP-9306 to require remediation of vulnerabilities\n       designated \xe2\x80\x98critical and high\xe2\x80\x99 instead of \xe2\x80\x98high and medium\xe2\x80\x99 to align the procedure with\n       current practices.\n\n\n13-05 USAP needs to improve account management controls (New)\n\nWe noted the following weaknesses in USAP\xe2\x80\x99s account management controls:\n\n   \xef\x82\xb7\t\t Access permissions for the SHIELD application\xe2\x80\x99s users were not appropriately\n       authorized and approved. A USAP User Service Request form was not completed until\n       8/29/2013 for 9 of the 10 users that we tested even though they had SHIELD access\n       prior to 7/8/2013. The documentation provided showed 30 SHIELD users who were\n       granted access to the system without having an initial approved user service request.\n   \xef\x82\xb7\t\t Access forms or evidence of recertification was not available for 22 of the 25 POLAR\n       ICE application users that we tested.\n   \xef\x82\xb7\t\t The date that the USAP datacenter visitor logs were reviewed was not documented on\n       the record provided; therefore, we could not establish whether the reviews were actually\n       occurring on a quarterly basis.\n   \xef\x82\xb7\t\t Details of the USAP datacenter access recertification were not provided for review.\n\nRecommendations (13-05)\n\nWe recommend that:\n\n   \xef\x82\xb7   NSF ensure that USAP access permissions for SHIELD users are approved and\n       documented.\n   \xef\x82\xb7   NSF ensure that USAP strengthens controls so access permissions for the POLAR ICE\n       users are recertified and documented periodically.\n   \xef\x82\xb7   USAP document the date of review of data center access logs as part of the evidence to\n       show that the logs are reviewed quarterly.\n   \xef\x82\xb7   USAP ensure that the datacenter access list is reviewed periodically and the details of\n       the review documented.\n\n\n                                             18 \n\n\x0c13-06 USAP needs to improve assessment and authorization controls (New)\n\nWe noted the following weaknesses in USAP\xe2\x80\x99s Assessment and Authorization controls.\nSpecifically, we noted the following:\n\n   \xef\x82\xb7\t\t There was no evidence that all weaknesses identified in the USAP Security Assessment\n       Reports, including items from the SAMR (Security Assessment Management Review\n       workbook), are provided to the Authorizing Official (AO) or included in the plan of actions\n       and milestones (POA&M) or in any other updates periodically provided to the AO.\n   \xef\x82\xb7\t\t During the FY2013 audit, we noted that USAP has not completed corrective actions for\n       NFR 12-04. USAP has documented an Acceptance of Residual Risk (AORR) for EOS\n       subsystems that did not meet NSF password requirements and for EOS systems that\n       used shared accounts; however there was no evidence that the AO explicitly accepted\n       the risk.\n\nRecommendations (13-06)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure that all weaknesses identified in the USAP Security Assessment Reports,\n       (SARs) including items from the SAMR, are provided to the designated NSF Authorizing\n       Official so that he or she can decide which risks to accept.\n   \xef\x82\xb7\t\t USAP ensure that the NSF Authorizing Official is provided with periodic security status\n       reports to demonstrate that the effectiveness of security controls employed within and\n       inherited by the system is monitored and communicated.\n   \xef\x82\xb7\t\t NSF ensure that password settings for USAP EOS components are consistent with NSF\n       password and account lockout requirements. Alternatively, if NSF proceeds with\n       accepting the associated risks for EOS, the Authorizing Official should approve the\n       Acceptance of Residual Risk (AORR) document.\n   \xef\x82\xb7\t\t NSF ensure that individual accounts are used for all USAP EOS users or establish\n       compensating controls to ensure individual accountability for actions performed with\n       shared accounts. Alternatively, if NSF proceeds with accepting the associated risks for\n       EOS, the Authorizing Official should approve the AORR document.\n\n\n13-07 NSF Security Assessment Reports (SARs) need to identify consistently all\nassessed risks (New)\n\nWe noted the following weaknesses in NSF\xe2\x80\x99s Assessment and Authorization controls:\n\nThe NSF Network, FAS, Research.gov, and eJacket SARs, which document the risk\nassessments, did not include all the risks that are applicable to the systems. Specifically,\n\n   \xef\x82\xb7\t\t The SARs did not include 3 NSF open POA&Ms that are due to be closed on 9/30/2013.\n       The open POA&Ms include Finding Nos. 12-07, 12-09, and 12-10.\n   \xef\x82\xb7\t\t The SARs did not include the systemic risks associated with the kinds of vulnerabilities\n       identified over time in weekly NSF vulnerability scans, such as computers with missing\n       patches that have not yet been remediated despite availability of patches to address the\n       vulnerabilities after an extended period of time. While SARs are not expected to be\n\n\n\n\n                                               19 \n\n\x0c       updated for each and every new vulnerability as found through ongoing scanning, they\n       should identify where such unremediated vulnerabilities continue to be found over time\n\nRecommendations (13-07)\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF ensure the Risk Assessments documented in the Security Assessment Reports for\n       NSF Network, FAS, Research.gov, and eJacket are updated to include all risks\n       applicable to the systems, including those that may be derived from open vulnerabilities\n       noted in POA&Ms and vulnerability scans.\n   \xef\x82\xb7\t\t NSF ensure the Assessment and Authorization process for NSF Network, FAS,\n       Research.gov, and eJacket includes consideration of all open risks noted in the\n       POA&Ms and identified over time through ongoing vulnerability scans.\n\n\nML-13-08 (New) Weaknesses in NSF Role-based IT Security Awareness and Training\n\nWe noted the following weaknesses in NSF\xe2\x80\x99s security awareness and role-based training\ncontrols:\n\n   \xef\x82\xb7   Documentation was not available to show that Security Awareness Training was\n       completed and Rules of Behavior were signed for 3 of the 25 individuals that we tested.\n   \xef\x82\xb7   NSF does not provide role-based security training for Authorizing Officials, system\n       owners, security control assessors and IT Security Officers.\n\nNSF is still in the process of implementing controls to strengthen their process for monitoring\nusers to ensure that they complete the annual security awareness training. Additionally, NSF\nprovides role based security training for system administrators; however the role based training\nprogram has not been updated to include training requirements for additional individuals with\nsignificant IT security responsibilities elsewhere in the security assessment and authorization\nprocess, including Authorizing Officials, System Owners, Security Control Assessors, and IT\nSecurity Officers.\n\nWeakness in security awareness and role-based training controls increases the risk that users\nmay not be aware of their responsibilities for protecting NSF systems and data. This could result\nin unauthorized access to NSF systems and data.\n\nRecommendations (ML-13-08):\n\nWe recommend that:\n\n   \xef\x82\xb7\t\t NSF strengthen controls to ensure that annual security awareness training is completed\n       and rules of behavior forms are signed and maintained for all employees and contractors\n       before they obtain access to NSF systems.\n       NSF ensure Authorizing Officials, System Owners, Security Control Assessors, and IT\n       Security Officers complete appropriate role-based security training.\n\n\n\n\n                                               20 \n\n\x0cVII. OTHER INFORMATION COMMUNICATED TO MANAGEMENT\n\n\nWe conducted internal and external vulnerability assessments and penetration testing on USAP\nsystems located in Denver, Colorado in July, 2013, in accordance with formal Rules of\nEngagement agreed upon with NSF management. We performed this testing to identify possible\nweaknesses in USAP\xe2\x80\x99s logical security controls and to attempt to exploit discovered\nvulnerabilities and to determine the degree of control an attacker could achieve after a\nsuccessful penetration. During our assessment, we discovered live, accessible hosts residing\non internal USAP networks and conducted overt and covert vulnerability assessments on IP\naddresses in use. We sought approval prior to exploiting discovered vulnerabilities, but did not\nconduct additional testing based on the identified exploitable vulnerabilities. We then advised\nmanagement in a separate document on corrective actions to strengthen its environment\nfurther.\n\n\n\n\n                                              21 \n\n\x0cVIII. EXHIBIT A \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n\n\n                                      22 \n\n\x0c"